1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
|
/*
* digest support for NTP, MD5 and with OpenSSL more
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include "ntp_fp.h"
#include "ntp_string.h"
#include "ntp_stdlib.h"
#include "ntp.h"
#include "isc/string.h"
typedef struct {
const void * buf;
size_t len;
} robuffT;
typedef struct {
void * buf;
size_t len;
} rwbuffT;
#if defined(OPENSSL) && defined(ENABLE_CMAC)
static size_t
cmac_ctx_size(
CMAC_CTX * ctx
)
{
size_t mlen = 0;
if (ctx) {
EVP_CIPHER_CTX * cctx;
if (NULL != (cctx = CMAC_CTX_get0_cipher_ctx (ctx)))
mlen = EVP_CIPHER_CTX_block_size(cctx);
}
return mlen;
}
#endif /* OPENSSL && ENABLE_CMAC */
/*
* Allocate and initialize a digest context. As a speed optimization,
* take an idea from ntpsec and cache the context to avoid malloc/free
* overhead in time-critical paths. ntpsec also caches the algorithms
* with each key.
* This is not thread-safe, but that is
* not a problem at present.
*/
static EVP_MD_CTX *
get_md_ctx(
int nid
)
{
#ifndef OPENSSL
static MD5_CTX md5_ctx;
DEBUG_INSIST(NID_md5 == nid);
MD5Init(&md5_ctx);
return &md5_ctx;
#else
if (!EVP_DigestInit(digest_ctx, EVP_get_digestbynid(nid))) {
msyslog(LOG_ERR, "%s init failed", OBJ_nid2sn(nid));
return NULL;
}
return digest_ctx;
#endif /* OPENSSL */
}
static size_t
make_mac(
const rwbuffT * digest,
int ktype,
const robuffT * key,
const robuffT * msg
)
{
/*
* Compute digest of key concatenated with packet. Note: the
* key type and digest type have been verified when the key
* was created.
*/
size_t retlen = 0;
#ifdef OPENSSL
INIT_SSL();
/* Check if CMAC key type specific code required */
# ifdef ENABLE_CMAC
if (ktype == NID_cmac) {
CMAC_CTX * ctx = NULL;
void const * keyptr = key->buf;
u_char keybuf[AES_128_KEY_SIZE];
/* adjust key size (zero padded buffer) if necessary */
if (AES_128_KEY_SIZE > key->len) {
memcpy(keybuf, keyptr, key->len);
zero_mem((keybuf + key->len),
(AES_128_KEY_SIZE - key->len));
keyptr = keybuf;
}
if (NULL == (ctx = CMAC_CTX_new())) {
msyslog(LOG_ERR, "MAC encrypt: CMAC %s CTX new failed.", CMAC);
goto cmac_fail;
}
if (!CMAC_Init(ctx, keyptr, AES_128_KEY_SIZE, EVP_aes_128_cbc(), NULL)) {
msyslog(LOG_ERR, "MAC encrypt: CMAC %s Init failed.", CMAC);
goto cmac_fail;
}
if (cmac_ctx_size(ctx) > digest->len) {
msyslog(LOG_ERR, "MAC encrypt: CMAC %s buf too small.", CMAC);
goto cmac_fail;
}
if (!CMAC_Update(ctx, msg->buf, msg->len)) {
msyslog(LOG_ERR, "MAC encrypt: CMAC %s Update failed.", CMAC);
goto cmac_fail;
}
if (!CMAC_Final(ctx, digest->buf, &retlen)) {
msyslog(LOG_ERR, "MAC encrypt: CMAC %s Final failed.", CMAC);
retlen = 0;
}
cmac_fail:
if (ctx)
CMAC_CTX_free(ctx);
}
else
# endif /* ENABLE_CMAC */
{ /* generic MAC handling */
EVP_MD_CTX * ctx;
u_int uilen = 0;
ctx = get_md_ctx(ktype);
if (NULL == ctx) {
goto mac_fail;
}
if ((size_t)EVP_MD_CTX_size(ctx) > digest->len) {
msyslog(LOG_ERR, "MAC encrypt: MAC %s buf too small.",
OBJ_nid2sn(ktype));
goto mac_fail;
}
if (!EVP_DigestUpdate(ctx, key->buf, (u_int)key->len)) {
msyslog(LOG_ERR, "MAC encrypt: MAC %s Digest Update key failed.",
OBJ_nid2sn(ktype));
goto mac_fail;
}
if (!EVP_DigestUpdate(ctx, msg->buf, (u_int)msg->len)) {
msyslog(LOG_ERR, "MAC encrypt: MAC %s Digest Update data failed.",
OBJ_nid2sn(ktype));
goto mac_fail;
}
if (!EVP_DigestFinal(ctx, digest->buf, &uilen)) {
msyslog(LOG_ERR, "MAC encrypt: MAC %s Digest Final failed.",
OBJ_nid2sn(ktype));
uilen = 0;
}
mac_fail:
retlen = (size_t)uilen;
}
#else /* !OPENSSL follows */
if (NID_md5 == ktype) {
EVP_MD_CTX * ctx;
ctx = get_md_ctx(ktype);
if (digest->len < MD5_LENGTH) {
msyslog(LOG_ERR, "%s", "MAC encrypt: MAC md5 buf too small.");
} else {
MD5Init(ctx);
MD5Update(ctx, (const void *)key->buf, key->len);
MD5Update(ctx, (const void *)msg->buf, msg->len);
MD5Final(digest->buf, ctx);
retlen = MD5_LENGTH;
}
} else {
msyslog(LOG_ERR, "MAC encrypt: invalid key type %d", ktype);
}
#endif /* !OPENSSL */
return retlen;
}
/*
* MD5authencrypt - generate message digest
*
* Returns 0 on failure or length of MAC including key ID.
*/
size_t
MD5authencrypt(
int type, /* hash algorithm */
const u_char * key, /* key pointer */
size_t klen, /* key length */
u_int32 * pkt, /* packet pointer */
size_t length /* packet length */
)
{
u_char digest[EVP_MAX_MD_SIZE];
rwbuffT digb = { digest, sizeof(digest) };
robuffT keyb = { key, klen };
robuffT msgb = { pkt, length };
size_t dlen;
dlen = make_mac(&digb, type, &keyb, &msgb);
if (0 == dlen) {
return 0;
}
memcpy((u_char *)pkt + length + KEY_MAC_LEN, digest,
min(dlen, MAX_MDG_LEN));
return (dlen + KEY_MAC_LEN);
}
/*
* MD5authdecrypt - verify MD5 message authenticator
*
* Returns one if digest valid, zero if invalid.
*/
int
MD5authdecrypt(
int type, /* hash algorithm */
const u_char * key, /* key pointer */
size_t klen, /* key length */
u_int32 * pkt, /* packet pointer */
size_t length, /* packet length */
size_t size, /* MAC size */
keyid_t keyno /* key id (for err log) */
)
{
u_char digest[EVP_MAX_MD_SIZE];
rwbuffT digb = { digest, sizeof(digest) };
robuffT keyb = { key, klen };
robuffT msgb = { pkt, length };
size_t dlen = 0;
dlen = make_mac(&digb, type, &keyb, &msgb);
if (0 == dlen || size != dlen + KEY_MAC_LEN) {
msyslog(LOG_ERR,
"MAC decrypt: MAC length error: %u not %u for key %u",
(u_int)size, (u_int)(dlen + KEY_MAC_LEN), keyno);
return FALSE;
}
return !isc_tsmemcmp(digest,
(u_char *)pkt + length + KEY_MAC_LEN, dlen);
}
/*
* Calculate the reference id from the address. If it is an IPv4
* address, use it as is. If it is an IPv6 address, do a md5 on
* it and use the bottom 4 bytes.
* The result is in network byte order for IPv4 addreseses. For
* IPv6, ntpd long differed in the hash calculated on big-endian
* vs. little-endian because the first four bytes of the MD5 hash
* were used as a u_int32 without any byte swapping. This broke
* the refid-based loop detection between mixed-endian systems.
* In order to preserve behavior on the more-common little-endian
* systems, the hash is now byte-swapped on big-endian systems to
* match the little-endian hash. This is ugly but it seems better
* than changing the IPv6 refid calculation on the more-common
* systems.
* This is not thread safe, not a problem so far.
*/
u_int32
addr2refid(sockaddr_u *addr)
{
static MD5_CTX md5_ctx;
union u_tag {
u_char digest[MD5_DIGEST_LENGTH];
u_int32 addr_refid;
} u;
if (IS_IPV4(addr)) {
return (NSRCADR(addr));
}
/* MD5 is not used for authentication here. */
MD5Init(&md5_ctx);
MD5Update(&md5_ctx, (void *)&SOCK_ADDR6(addr), sizeof(SOCK_ADDR6(addr)));
MD5Final(u.digest, &md5_ctx);
#ifdef WORDS_BIGENDIAN
u.addr_refid = BYTESWAP32(u.addr_refid);
#endif
return u.addr_refid;
}
|
